Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
7.7 DDoS
www.issuemakerslab.com
Overview
7.7 DDoS Attack
Cyber attack against major government, news media, and financial websites of South Korea and US
www.issuemakerslab.com
Re-Collection Server hacked Web Hard sites (spreading malware) C&C IP Relay Server
DDoS Attack
Zombie Bot
Distributed Support Server (HDD Destroy Malware)
Attacker
flash.gif
Botnet Begins!
Encryption Protocol send: + 0x28) ^ 0x47 recv: ^ 0x47) - 0x28 Filename dvcmgmt.exe X ntdsbcli.exe ntdcmgt.exe inetsvc.exe Y send: ^ 0x92) + 0x61 recv: - 0x61) ^ 0x92 perfmon.exe tasksc.exe Port 131 143 339 112, 125, 133 112, 125, 133 128, 125, 133
A Encryption Protocol C&C Master Server Re-Collection Server Distributed C&C Server XOR 0xCC ??? ??? netlmgr.exe 213.33.116.41:53 C&C IP Relay Server 216.199.83.203:80 213.23.243.210:443
www.issuemakerslab.com
Botnet Begins!
www.issuemakerslab.com
Structure of Botnet
Composed in hierarchical structure C&C Server was operated as a distributed server by more than thousands of units through hacking.
Re-Collection Server C&C IP Relay Server C&C Master Server
www.issuemakerslab.com
www.issuemakerslab.com
3 Types of Malware
A
Encryption Protocol XOR 0xCC DDoS Malware (July ~) Beginning C&C IP Relay Server Information DDoS Config File msiexec?.exe (= ntdll.exe) msiexec?.exe (= ntdll.exe) wmiconf.dll pxdrv.nls wimgat.exe wimgat.exe ntscfg.dll atv04nt5.img wmcfg.exe Spam HDD MBR Destroy mstimer.dll wversion.exe File Information Stealing Malware (May ~) ntmpsvc.dll netlmgr.dll ssdpupd.dll Config File perfb093.dat drmkf.inf regscm.dll (early: rasmcv.dll) maus.dl www.issuemakerslab.com sysvmd.dll (early: sysenv.dll) dhcp32.exe (= ntdll.exe) vol32.css perfvwr.dll svrms.nls
B
XOR 0xFC
C
XOR Ramdom 8 Bytes
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
A : Compare Time B : Command Code1 C : Start Time D : End Time E : Command Code2 F : File Size G : File Data
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
ETC
1 2 3 4 5 6 7 8 9 10 11
Orginal Spoofing Original Spoofing Original Spoofing Original Spoofing Target Original Original
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com
Botnet Counter-Attack
www.issuemakerslab.com
Botnet Counter-Attack
www.issuemakerslab.com
Botnet Counter-Attack
www.issuemakerslab.com
Botnet Counter-Attack
www.issuemakerslab.com
Demo
It's Showtime!
www.issuemakerslab.com
Q&A
Questions?
contact us via e-mail sionics 0x40 issuemakerslab.com kaientt 0x40 issuemakerslab.com
www.issuemakerslab.com
www.issuemakerslab.com